Taras, On Sat, Jun 30, 2012 at 6:46 AM, Taras <ox...@oxdef.info> wrote: > 2all, just want to say that now we are passed all our XSS tests. > > ./test.sh > nose.config: INFO: Ignoring files matching ['^\\.', '^_', '^setup\\.py$'] > w3af is officially supported under Python 2.6 > test_all (core.data.context.tests.test_context.TestContext) ... passed > test_html_inside_js (core.data.context.tests.test_context.TestContext) ... > passed > test_payload (core.data.context.tests.test_context.TestContext) ... passed > test_payload_double_script > (core.data.context.tests.test_context.TestContext) ... passed > test_payload_html_inside_comment > (core.data.context.tests.test_context.TestContext) ... passed > test_payload_html_inside_script_with_comment > (core.data.context.tests.test_context.TestContext) ... passed > test_payload_script_broken_double_close > (core.data.context.tests.test_context.TestContext) ... passed > test_payload_script_broken_double_open > (core.data.context.tests.test_context.TestContext) ... passed > test_payload_script_single_quote > (core.data.context.tests.test_context.TestContext) ... passed > test_payload_text_can_break > (core.data.context.tests.test_context.TestContext) ... passed > > ----------------------------------------------------------------------------- > 10 tests run in 0.3 seconds (10 tests passed) > > > > Now time for WAVSEP! :)
That's AWESOME news! I've just reviewed what WAVSEP has for XSS, and the ideal thing would be to make sure we pass all tests inside these directories: RXSS-Detection-Evaluation-COOKIE-Experimental RXSS-Detection-Evaluation-GET RXSS-Detection-Evaluation-GET-Experimental RXSS-Detection-Evaluation-POST RXSS-Detection-Evaluation-POST-Experimental RXSS-FalsePositives-GET In the best case scenario we would have one test for each test case (note there are many inside each directory). That way we would know exactly which case fails if we break something. Regards, > > On 06/27/2012 11:31 AM, Taras wrote: >> >> Steve, >> >>> You may wish to look at how both arachni and ZAP handle this problem, as >>> they both now detect 100% of the XSS part of the WAVSEP benchmark. >> >> I will look on these tools, thanks! >> >>> >>> (I must admit I have some concerns with using REGEX to do the job >>> instead of a real parser for both false positives and false negatives.) >>> >>> Steve >>> >> >> > > > -- > Taras > http://oxdef.info > GPG: C8D1F510 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
